[Bro-Dev] Autodoc: how to link to another script?

Gregor Maier gregor at icir.org
Wed Aug 10 13:40:16 PDT 2011 

On 8/10/11 13:29 , Seth Hall wrote:
>
> On Aug 10, 2011, at 4:22 PM, Seth Hall wrote:
>
>> On Aug 10, 2011, at 4:13 PM, Gregor Maier wrote:
>>
>>> sounds good to me. However, I wouldn't put it in base. I think the default should be to not decapsulate tunnels!
>>
>> I agree.  I think we should have a configuration variable to enable it, but the support for *how* it's actually accomplished and logged seems like something that should be in the base.
>
>
> Continuing this thought... outside of base/ (in policy/protocols/conn) it might make sense to do things that actually "detect" something.  I consider non-obfuscated tunnel decapsulation very similarly to normal protocol analysis.  The rule of thumb is that the scripts in base/ should only be doing protocol logging and state building which is exactly what it sounds like your tunnel.bro script is doing. :)

Well it depends. The script does two--three things:

1) enable tunnel decapsulation by redef'ing the appropriate consts
2) create a tunnel.log file that logs all tunneled connections (c$id,
    c$uid) and the parent connection.
3) provide a single point were the tunnel stuff is documented (what it
    does, how to tune it, its limitations). (I love the new autodoc
    features!!)


(1) and (3) are kinda related. I always found it very hard to know and 
understand what all the 100's of redef'able consts in bro.init did. I 
think doing it this way is nice way of putting the documentation 
together and giving users and easy way to access the functionality (load 
the tunnel script, look at it's documentation for details)

We can probably split it up and put (1) in policy/ and (2) in base/. 
However, (2) only works if the connection_compressor is disabled 
(otherwise the identity of the tunnel is lost), so this makes it more 
problematic to put it in base (at least while the connection_compressor 
remains on by default)

I've attached the current version. Might be easier to just look at it 
than explaining it via email ;-)

cu
gregor

-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: tunnel.bro
Url: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110810/30dae8a7/attachment.ksh

More information about the bro-dev mailing list